An in-depth look at AsyncRAT campaigns tied to APT-C-36 and related RATs, focusing on evolving TTPs and how the Colombian distribution behaves in practice. The analyzed sample (Stub.exe) reveals anti-analysis checks, persistence via scheduled tasks and Run key…
Category: Threat Research
UNC2165 is analyzed as overlapping with Evil Corp activities and shifting toward ransomware deployments such as HADES and LOCKBIT, leveraging FAKEUPDATES, BEACON, and post-exploitation techniques to breach networks while evading sanctions. The report traces th…
A new Browser-in-the-Browser (BITB) sextortion campaign impersonates the Indian government to coerce victims into paying a fine with their credit card. The attack uses a full-screen fake browser window, browser fingerprinting, and a fraudulent payment flow to …
Microsoft disclosed a new zero-day vulnerability in MSDT (CVE-2022-30190) that enables remote code execution. The exploit chain uses a malicious Word document to load a remote HTML file that runs PowerShell via the ms-msdt schema, with workarounds and indicato…
XLL malware is distributed via email attachments that masquerade as Excel add-ins (.xll) and run when opened, delivering various payloads including ransomware and info-stealers. The campaign uses DLL-based XLLs (some via Excel-DNA) and downloads additional mal…
Fortinet’s FortiGuard Labs documented a phishing campaign that delivers three fileless malware to Windows hosts, enabling attacker control and data theft via a C2 channel. The payloads AveMariaRAT, PandorahVNC RAT, and BitRat steal credentials, capture screens…
Trustwave SpiderLabs observed a Grandoreiro campaign targeting bank users in Brazil, Spain, and Mexico during tax season, delivered via Portuguese-language phishing emails that link to a malicious PDF. The campaign uses a multifaceted payload chain—including a…
Trend Micro analyzes exploitation of CVE-2022-29464 in WSO2 products, which leads to web shell deployment and the installation of Linux-compatible Cobalt Strike beacons along with other malware. The campaign shows persistence across multiple products, uses web…
Checkpoint researchers analyze the evolution of XLoader, focusing on how the botnet camouflages its real C2 servers among 64 decoy domains and how later versions smarterly rotate domains to evade analysis. The article details 2.5 and 2.6 updates that use proba…
The campaign distributes malicious documents that abuse an XML-driven download chain and legitimate payload hosting to deliver staged malware. It culminates with data-stealing payloads (Arkei Stealer and Eternity Stealer), using macro-based loaders and C2/down…
Black Basta ransomware is analyzed for its rapid network impact, data theft, and in-memory encryption with double extortion. IBM X-Force details the loader, behavior, and indicators to help defenders detect and mitigate this threat. Hashtags: #BlackBasta #IBMX…
CrowdStrike data show Mirai variants built for Intel-powered Linux systems more than doubling in Q1 2022 versus Q1 2021, with 32-bit x86 builds rising the most. Mirai continues to expand across Linux devices—from IoT to servers—by exploiting unpatched flaws su…
SEKOIA.IO Threat & Detection Research uncovers a Turla-led reconnaissance campaign targeting Eastern Europe, including the Baltic Defense College and the Austrian Economic Chamber. The operation relies on legitimate-looking Word documents that pull an external…
The article analyzes SocGholish (aka FAKEUPDATES) campaigns and how they function as a major initial-access vector through fake updates, compromised sites, and phishing-style techniques, detailing loader chains and observed IOCs. It covers campaigns delivering…
Fortinet FortiGuard Labs analyzed a phishing email spoofing a Saudi Arabian oil company that lures a Ukrainian coffee company into downloading a GuLoader ISO via OneDrive. The static analysis shows the ISO contains a GuLoader NSIS installer with decoys and obf…